Sun Java System Identity Manager Bugs Let Local and Remote Users Gain Privileges
|
|
SecurityTracker Alert ID: 1021881 |
|
SecurityTracker URL: http://securitytracker.com/id/1021881
|
|
CVE Reference:
CVE-2009-1074, CVE-2009-1075, CVE-2009-1076, CVE-2009-1077, CVE-2009-1078, CVE-2009-1079, CVE-2009-1080, CVE-2009-1081, CVE-2009-1082, CVE-2009-1083, CVE-2009-1084
(Links to External Site)
|
Updated: Apr 1 2009
|
Original Entry Date: Mar 20 2009
|
Impact:
Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of authentication information, Modification of system information, Modification of user information, User access via local system, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 7.x, 8.x
|
Description:
Several vulnerabilities were reported in Sun Java System Identity Manager. A local or remote user can access or modify data, conduct cross-site scripting attacks, or gain privileges on the target system.
A remote user monitoring the network between a client and the target Identity Manager (IDM) server can obtain information from non-SSL connections.
A local or remote user can determine value usernames on the target system.
A local or remote user can modify a password on a target user account.
A local or remote authenticated user can perform restricted actions.
A remote user can conduct cross-site scripting attacks.
A remote authenticated user can conduct cross-site scripting and cross-site request forgery attacks.
A local or remote authenticated user can execute arbitrary commands on Linux/UNIX-based resource adapters.
A local or remote authenticated user can modify system configuration data.
A remote authenticated user with privileges on a Linux/UNIX-based resource that is configured with root access can gain additional privileges or to execute arbitrary code on the target IDM system.
Marco Mella, Alexandre Bezroutchko of Scanit, Dan Sinclair of Security Compass, and ProCheckUp Ltd reported these vulnerabilities.
|
Impact:
A remote user can obtain potentially sensitive information.
A local or remote user can determine valid usernames on the target system.
A remote authenticated user can execute arbitrary commands on the target system.
A local or remote user can modify a password on a target user account.
A local or remote authenticated user can perform restricted actions.
A remote user can conduct cross-site scripting attacks.
A remote authenticated user can conduct cross-site scripting and cross-site request forgery attacks.
A local or remote authenticated user can modify system configuration data.
|
Solution:
Sun has issued the following fixes.
* Sun Java System Identity Manager 7.0 with patch 140935-01
* Sun Java System Identity Manager 7.1 with patch 140936-01
* Sun Java System Identity Manager 7.1.1 with patch 137621-11
* Sun Java System Identity Manager 8.0 with patch 139010-06
The vendor's advisory is available at:
http://sunsolve.sun.com/search/document.do?assetkey=1-66-253267-1
|
Vendor URL: sunsolve.sun.com/search/document.do?assetkey=1-66-253267-1 (Links to External Site)
|
Cause:
Not specified
|
Underlying OS:
Linux (Any), UNIX (Solaris - SunOS), Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Fri, 20 Mar 2009 09:57:02 -0500
Subject: http://sunsolve.sun.com/search/document.do?assetkey=1-66-253267-1
|
253267
Sun Java System Identity Manager Security Vulnerabilities
|
|
